On 1/30/20 8:43 AM, Erik Skultety wrote:
Our nwfilter code doesn't set any timeout on the pcap paket buffer which
packet
means that when DHCP snooping is enabled on a guest interface and libvirt is trying to learn the IP address from guest's DHCP traffic, it takes up to 4x longer to ping a guest successfully compared to a case where nwfilter isn't enabled at all or libvirt uses the cached nwfilter leases to populate the corresponding rules to ebtables. With the pcap filter and rate limiting already in place, we should be able to afford enabling the immediate paket delivery, FWIW immediate
packet
mode was actually the default prior libpcap-1.5.0 (CentOS 6) regardless of whether a buffer was requested. The lack of any kind of timeout on the pcap buffer messed with the libvirt TCK test suite which, even with a generous timeout in place, timeouts every single time simply because it takes a while until guest actually starts producing any kind of traffic to fill up the buffer in place (appart from the DHCP traffic which happens fairly
apart
early on). Signed-off-by: Erik Skultety <eskultet@xxxxxxxxxx> ---
-- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
